* Stuart Henderson <st...@openbsd.org> [2013-08-15 12:28]:
> On 2013/08/14 22:05, Philip Guenther wrote:
> > > # Only match connections that will be forwarded (or nothing listening
> > > on the local host)
> > > pass in proto tcp user unknown
> >
> > pass in proto tcp to !self
> >
> > (Does this hit the optimizer issue?)
>
> This one is fun. It depends on how many addresses "self" has -
> if it's a small number of addresses then the optimizer is *not* used
> and it expands to:
>
> pass in proto tcp to !someaddr
> pass in proto tcp to !otheraddr
>
> so it doesn't do the right thing.
>
> But add a few more addresses and the optimizer kicks in replacing
> the list of addresses with a table,
>
> pass in proto tcp to !<__automatic_1>
>
> which *does* work as expected.
the old macro expansion issue. pretty much unfixable.
fwiw, I tend to do
table <self> persist { self }
and the use <self>.
> I think that, as things stand, either the documentation or implementation
> are wrong:
>
> "The value unknown matches packets of forwarded connections."
the uid/gid-of-socket code in pf hasn't been touched in ages if ever
after initial implementation, if it's wrong nobody noticed in many
many many years (not impossible).
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services GmbH, http://bsws.de, Full-Service ISP
Secure Hosting, Mail and DNS Services. Dedicated Servers, Root to Fully Managed
Henning Brauer Consulting, http://henningbrauer.com/
